5

I followed the instructions here for setting up a gateway and a lambda but it does not work. The symptoms appear to be the same as described here but the fixes suggested there did not work.

My infrastructure definition is as follows:

resource "aws_apigatewayv2_api" "lambda_api" {
    name          = "${upper(var.project)}-${upper(var.environment)}-${var.gateway_name}"
    protocol_type = "HTTP"
}

resource "aws_apigatewayv2_stage" "lambda_default" {
    name        = "$default"
    api_id      = aws_apigatewayv2_api.lambda_api.id
    auto_deploy = true
}

resource "aws_apigatewayv2_integration" "gateway_to_lambda" {
    api_id                 = aws_apigatewayv2_api.lambda_api.id
    integration_type       = "AWS_PROXY"
    connection_type        = "INTERNET"
    integration_method     = "POST"
    integration_uri        = aws_lambda_function.executable.arn
    payload_format_version = "2.0"
}

resource "aws_apigatewayv2_route" "route" {
    api_id    = aws_apigatewayv2_api.lambda_api.id
    route_key = "GET /profile"
    target    = "integrations/${aws_apigatewayv2_integration.gateway_to_lambda.id}"
}

resource "aws_lambda_permission" "execution_lambda_from_gateway" {
    statement_id  = "AllowExecutionFromAPIGateway"
    action        = "lambda:InvokeFunction"
    function_name = aws_lambda_function.executable.function_name
    principal     = "apigateway.amazonaws.com"

    source_arn = "${aws_apigatewayv2_api.lambda_api.arn}/*/*"
}

On the gateway side it looks like things are created correctly: I have an integration that connects my path 'profile' to the lambda: enter image description here

However, when I look on the lambda the trigger is missing: enter image description here

When I try to hit the endpoint I get an "internal server error" message.

When I manually add the trigger in my lambda then it works but not under the 'profile' route key that I specified.

What am I missing here to correctly route my /profile in the API Gateway to my lambda?

Improve this question
6
  • Can you please remove source_arn = "${aws_apigatewayv2_api.lambda_api.arn}/*/*" and try again? Also if you setup this manually, you can verify the correct permissions that AWS console creates automatically for you. Commented Nov 25, 2021 at 21:59
  • Removing the source_arn worked. I didn't have to touch permissions so looks like they where correct. Perhaps I'm expecting the wrong thing but in the Function Overview I still don't see the gateway as a trigger? Is this a UI bug or is trigger in this context something else? Commented Nov 26, 2021 at 0:01
  • 1
    But the API works? The lambda AWS trigger display is not perfect. As long as API works, you shoudn't worry about AWS console display. Commented Nov 26, 2021 at 0:03
  • Yes the API works. TY! Now onto making authorizer and CORS work... Commented Nov 26, 2021 at 0:37
  • 1
    @Marcin Could you provide an explanation as to WHY this works? Commented Aug 10, 2023 at 15:20

2 Answers 2

Reset to default
2

Based on the comments. The solution was to modify the permissions (remove source_arn):

resource "aws_lambda_permission" "execution_lambda_from_gateway" {
    statement_id  = "AllowExecutionFromAPIGateway"
    action        = "lambda:InvokeFunction"
    function_name = aws_lambda_function.executable.function_name
    principal     = "apigateway.amazonaws.com"
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Removing the permissions was not the fix. The fix was to remove the source_arn.
@PrzemekLach That's what I wrote. Your new permissions do not have source_arn.
2

Removing the source arn from your permission is not the correct answer - FIXING the source arn is the correct solution. You are specifying the arn of the gateway when you should be specifying the execution_arn instead.

source_arn = "${aws_apigatewayv2_api.lambda_api.arn}/*/*"

Should be:

source_arn = "${aws_apigatewayv2_api.lambda_api.execution_arn}/*/*"

By removing the source_arn = entirely you open up the lambda to be invoked by any(?) api-gateway which is probably a security issue.

If the permission is correctly set up - you WILL see the gateway as a trigger in the lambda AWS console.

Improve this answer

1 Comment

This is the correct solution. You have to specify the execution_arn for the API Gateway instance.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.